No software is 100% secure and WordPress is no exception to that rule. Powering nearly a quarter of all websites worldwide, the platform is naturally an irresistible target for hackers and has been the subject of many attacks over the years.
People who remember early security stumbles such as the various serious vulnerabilities discovered in 2009 may have long ago written the platform off as being inherently insecure – this would be wrong.
For every exploit or vulnerability which has caused issues, there’ve been dozens – if not hundreds – caught in time thanks to a combination of user reports, WordPress’ dedicated security team and the efforts of independent developers.
In this article we’ll cover five essential security measures you must master to keep your site safe and a range of handy plugin solutions to help you do so.
Let’s start with what you need to know.
1. Use Strong Usernames and Passwords
By far the most common and easily avoidable mistake people make when performing a WordPress install is not changing the default admin username.
The reason this should be done is simple: if someone’s trying to brute-force their way into your website, leaving the default username as it is basically takes one variable out of the equation and means the bad guys only need to guess your password.
Users have been able to choose their own admin username during setup since WordPress 3.0. If you didn’t get this option during the installation process and have been ignoring the WordPress update alerts on your dashboard, right now might be the perfect time to perform those upgrades and take care of business.
Your password is your second line of defense and, though I’m sure you’re tired of being told to pick strong passwords and use unique ones for every site, it’s really something you have to do. The minor amount of effort this requires when you go about it in an organized way is trivial compared to the hassle of trying to repair a compromised site.
A good password manager will almost always include strong password generation tools and will make managing your various logins a piece of cake. LastPass, Roboform and 1Password are all excellent options in this regard.
For an added layer of security, you should also enable two-factor authentication through the use of plugins such as iThemes security (covered in our list below). It’s easy for site owners to gloss over this step to make logging in for themselves as hassle-free as possible. You’ll be glad to have activated the option when you receive your first notifications about failed login attempts from unknown sources though.
2. Secure Your Login Screen
Even if your username/password combination is as secure as Fort Knox, a dedicated attacker could potentially gain access to your dashboard given enough time if your login screen isn’t secured against brute-force attacks.
An easy way to avoid this is to limit the number of login attempts allowed from any single source within a specific period of time. While the same IP address trying to log in time after time unsuccessfully could be attributed to someone having a lousy memory, it’s much more likely to be an attacker trying different permutations of usernames and passwords.
Your login screen also shouldn’t inform users which field they’ve made a mistake in if they fail to provide the right information. As mentioned up above, anything that potentially helps attackers narrow down their options by eliminating a variable is to be avoided.
Captchas can also be a valuable tool when securing login screens against attacks from bots. Although resourceful hackers have turned to farming captcha solution out to actual humans in order to brute-force sites in the past, they still help you set up a small roadblock and shouldn’t be overlooked – especially considering how easy they are to setup.
Another measure you can take is configuring notifications to be sent to you whenever there’s a login attempt that could be considered fishy. For example, are you supposed to be the only one with access to the dashboard? Then why is some guy in Russia trying to login at three in the morning? Installing a firewall to block IP addresses that have previously been blacklisted is also a sensible move. All of this can be achieved via the plugins we’ll list later.
3. Understand File and Folder Permissions
In the vast majority of cases, you shouldn’t need to mess around too much with WordPress defaults but it’s worth your while having at least a cursory understanding of file permission modes in general.
The two most common modes you will come across are 644 and 755. These are basically categories that determine the set of rules that govern each file or directory (i.e. who can read, open or modify files).
Files and directories categorized under the 644 mode can be read and written to (this is UNIX-speak for modified in any way) by their owner (the user on the server who created them) but only read by everyone else. This is the ideal setting for many types of files.
The 755 mode meanwhile is mostly used for folders since it allows all users to change into that directory. You’ll occasionally come across plugins that require certain folders to be set to 755.
File and folder permissions can be a head-melting topic if you are new to it but, if you remember nothing else, bear in mind that you should always avoid setting a permission mode to 777 – – even if a plugin explicitly asks you to – unless you know exactly what you’re doing.
This mode is basically a big no-no since it grants complete access to absolutely any user, allowing them to read, write to or delete directories at will and potentially cause all sorts of problems.
4. Backup, Backup, Backup
Even through I walk though the valley of the shadow of death, I will fear no evil, for I have dutifully performed backups.
Backups are such a simple yet crucial part of site security they should be preached as gospel.
In the unfortunate event of a security breach – catastrophic or otherwise – you’ll be enormously thankful you had adequate backups. Fail to get them in place in advance and the road back could be long and painful.
The only potential downside here is if you’re only performing backups semi-regularly where you risk potential data loss if backups are out of date. A weekly or bi-weekly backup should be more than enough for most websites and these can be automated through plugins so you don’t actually have to remember to perform them manually.
If you’re worried about maintaining a huge library of unnecessary backups, well, that could happen. But then again it’s 2015 – online and offline storage space are both ridiculously cheap and the cost involved is well worth the peace of mind it brings. Plus, you can always rotate the oldest snapshots out of storage once a set amount of time has passed to save on space.
5. Keep WordPress up to Date
We all know how annoying it can get to have to deal with “update available” notifications both for WordPress itself and all the plugins you have installed. However, there’s a reason why development teams go through the trouble of pushing out constant updates and it’s not just to include new features.
Despite how easy it is to use WordPress, it’s still a pretty complex CMS. When you add plugins on top of that, plus the interactions between them, you’re potentially opening up quite a large can of security vulnerabilities that developers need to stay on top of to protect their users.
Skipping that latest update can mean the difference between having a website with a glaring vulnerability that hackers would love to exploit or not.
While you’re at it, don’t skim over the changelogs either! You might miss important information about compatibility issues between plugins or WordPress versions. That’s the kind of stuff that can inadvertently break a website.
WordPress security releases are particularly important to pay attention to so take some time to check your site is up to date as often as possible.
Don’t Worry, There’s a Plugin For That
Alright, now you’ve got a basic understanding of the five basic security measures every WordPress site owner should be familiar with. You can find more great info on the WordPress site itself in the Hardening WordPress section of the Codex.
We’ll now turn our attention now to some of the best plugins available for helping you handle some of the heavy lifting around securing your site.
A quick word of warning before we proceed: as with any plugin, there’s a possibility – however remote – that turning on some of the features included within our selections will break or cause errors on your site. They’re generally easier to set up on new installs so, if you’re dealing with a live site, we recommend performing a complete backup before setting anything up.
Let’s look at our selection of five outstanding general WordPress security plugins.
1. Wordfence Security
Compatible up to: 4.3.1
Last updated: 2015-9-14
Rating: 4.9 out of 5 stars (with over a million installs)
Currently the most popular security plugin available for WordPress, Wordfence Security has both free and premium versions. It offers real-time blocking from malicious sources, login security, malware scans, a firewall, support for multi-site, and many other features.
Its monitoring options allow you to scan all of the traffic to your WordPress install in real time and split out humans, bots, login attempts and “site not found” errors.
Wordfence’s main selling point is how it leverages its gigantic base of active users in order to log malicious penetration attempts and block the sources from every other site on its “network”. In essence, the software becomes better at preventing attacks as more people install it.
2. iThemes Security
Compatible up to: 4.3.1
Last updated: 2015-9-15
Rating: 4.7 out of 5 stars (with 600,000+ installs)
Formerly known as Better WP Security, iThemes Security is an established WordPress security solution available in both free and premium versions and should be more than enough to cover most site owner’s bases.
Its features include two-factor authentication with Google Authenticator or Authy, malware scans, forced password expiration dates, file comparison, the ability to temporarily grant admin privileges to other users and detailed logs of users’ actions.
3. All In One WP Security & Firewall
Compatible up to: 4.3.1
Last Updated: 2015-9-18
Rating: 4.9 out of 5 stars (with 200,000+ installs)
A solution that lives up to its name. All In One WP Security & Firewall has a friendly interface that shows you a Security Strength Meter, a Security Points Breakdown and the status of critical features such as default usernames, login lockdowns, file permissions and a firewall.
Its features are divided into basic, intermediate and advanced sections for those who prefer fine-tuning and they include account and login security, registration security, database backup, file system protection, blacklisting, firewall functions, brute-force attack prevention and much more.
The plugin is also available in 11 languages making it an excellent option for multilingual sites.
4. BulletProof Security
Compatible up to: 4.3.1
Last updated: 2015-9-9
Rating: 4.7 out of 5 stars (with 100,000+ installs)
Bulletproof Security is a one-stop shop for solving some of the most common security flaws present in WordPress installs. It includes .htaccess protection, login security protocols, automatic database backups, HTTP error logs, authentication cookies expiration and a multitude of other features.
There’s also a professional premium version costing $59.95 which adds real-time file monitoring, intrusion detection & prevention systems, a firewall just for your plugins, anti-spam measures and 16 further separate plugins for modular coverage.
Setup of the plugin can be performed manually or through a one-click wizard that automatically turns every security feature on.
5. Sucuri Security
Compatible up to: 4.2.5
Last updated: 2015-7-30
Rating: 4.6 out of 5 stars (with 100,000+ installs)
Another solid general solution, Sucuri Security provides overall security auditing, file modifications and permissions, malware scanning, blacklists, a firewall, and notifications.
Notifications are delivered via email and you can set a maximum per hour, define a threshold of failed logins from the same IP address before they’re considered malicious, and be alerted of both successful and failed logins and post changes.
Single-Purpose Solutions
While our previously mentioned all-purpose plugins are great for most occasions, you may only be interested in securing a particular aspect of your website.
After all, configuring dozens of features can be a real hassle if you’re only interested in getting one particular job done. Here’s a quick round-up of three handy single-purpose solutions.
1. WP-DB-Backup
Compatible up to: 4.2.5
Last updated: 2015-7-8
Rating: 4.6 out of 5 stars (with 500,000+ installs)
WP-DB-Backup is very simple plugin which, as its name implies, allows you to perform backups of your core WordPress database files.
The developer made a conscious choice only to allow the backup of core database files since they’re the primary thing you’ll need to recover if your site is breached or falls over.
phpMyAdmin is required to restore your database from a backup, so make sure your hosting control panel includes it. (we’re 99.9% sure it will, but it never hurts to be careful).
2. Login Security Solution
Compatible up to: 4.2.5
Last updated: 2015-5-25
Rating: 4.3 out of 5 stars (with 20,000+ installs)
Login Security Solution is a simple plugin dedicated – as its name suggests – to securing your login screen. It’s built to detect anomalies within the process such as detecting login attempts made by “form-filler” programs, matching current login attempts to past ones and determining whether an account has been compromised. It can also analyze the strength of your passwords, force users to constantly change them and notify you whenever a breach is attempted.
BBQ: Block Bad Queries
Compatible up to: 4.3.1
Last updated: 2015-8-8
Rating: 5 out of 5 stars (with 50,000+ installs)
Block Bad Queries is the only member of either of our lists with a perfect review score – impressive even if we’re only talking about 35 reviews. It’s lightweight, easy to install and does just what it’s supposed to by screening your traffic and blocking bad queries or malicious URL requests.
Summary
If you’re going to take one thing away from this article, it should be this: don’t panic! Expanding your knowledge is the key to locking down your site and staying calm. Here’s a quick recap of our five essential security measures:
- Use strong usernames and passwords.
- Secure your login screen.
- Understand file and folder permissions.
- Backup your site.
- Keep WordPress up to date.
As a site owner or developer, there will always be vulnerabilities and attack vectors to worry about but it’s never been easier to maintain a secure WordPress install than it is today. The platform itself has been considerably hardened over the years and there are excellent plugin solutions such as the ones we outlined above to help you dial in your settings and sleep better at night.
Do you have any WordPress security tips you’d like to share? Let us know in the comments.
Article thumbnail image by sibgat / shutterstock.com.
Disclosure: If you purchase something after clicking links in the post, we may receive a commission. This helps us keep the free content and great resources flowing. Thank you for the support!
I’m happy to see Login Security Solution getting some recognition. It’s one of my favorite security-related plugins.
These are all great. Thanks for providing this detail!
However, WordPress can shut down most hack attempts with one fairly simple new feature, if they would ever offer it:
Specify Admin Directory Name: [_/wp-admin/_________]
Allow the person installing WP to change the default /wp-admin/ path to whatever they want. Since most hackbots are just running randomly through http://www.domain.com/wp-admin/ looking for a WP login form, this would shut most of them down and make their job a LOT harder.
Perhaps as an added option, allow the installing user to also keep a /wp-admin/ page that displays a dead login form to stall hackers (where clicking the Log In button allows them countless retries and keeps them in limbo).
As an extra precaution, maybe include a button labeled “Resend Login Info.” When clicked, the WP site would send to the administrator’s email (specified during configuration of WP) the correct login location — in case they’ve forgotten where to login.
I like this post. Which is the better security plugin that would have the least conflict with elegant themes plugins and other plugins that you know about?
As far as I know, none of these plugins have integration issues with ET themes or plugins.
I’m a bit new to the security end of things. Do I need all these plugins or just one? I’m speaking of the first group you spoke of.
Start simply:
1. Start with not using “admin” for your username and then set a really good password for yourself. WordPress does not limit character count so make it fairly long (longer the better) and something you can remember, using at least one of each: lowercase, capital, number and other character. And it doesn’t need to be hard to remember stuff like [email protected]#bvdfe>324490, It can be easy for you to remember like MyKat-has6toes! (i just checked this one and it shows it would take 1.49 centuries to crack…)
2. Next if you are still worried use a two factor password. My personal favorite is “Clef”
3. Keep WordPress and all plugins updated.
Just my personal opinions. ernie.
The fact that my sisters cat has 6 toes may or may not influence my password(s)… 🙂
We install iTheme Security + Sucuri Malware Scanner in all our websites. These 2 plugin togheter provide a high level of security. Recommended.
A good tip against brute force attacks is changing the default url of the dashboard. It can be done easily with iTheme.
For backup BackupBuddy is a great solution.
I agree, we do exactly the same and it has been great so far. You do need to experiment with iTheme Security a little bit though (as this article suggests) as it can throw up some errors with some plugins and themes, but it’s worth the effort.
I have found Word Fence to be invaluable! I have also used Sucuri with great results!
I use ‘wordfence’ coupled with ‘Infinitewp update centre’, which monitors all my sites for updates and will also update them all with one click.
Hey Tom,
Always great to see a wrap up on this topic- Thanks.
All points/tips we regularly tell clients, particularly those that don’t want to pay for site maintenance!
Yes.. there is some gnashing of teeth for custom themes we then have to “update WP” on..Sigh. (Even great Elegant Themes .. LOL)
One thing basic tip- never make the wp- admin main logon ‘Admin’!
Call it anything else.
And remember to go check all those plugins/site after updating.
Never assume it is OK.
As you have said.. sometimes Sh** happens.
I’d like to see a comparison grid of all the mentioned solutions. Being able to see how to cover all bases without over duplicating the same task would be really helpful. I’m a fan of ithemes and use the malware scan built into Backupbuddy. How is that different than adding malware scanning to ithemes Security?
I think that you’ve covered everything there Tom… a must read for all WortdPress users.
Unfortunately for many WordPress users security is usually an afterthought, not a priority.
Good article.. p.s wordfence is a great security plugin. We use it on every website..some pro some free.
As always, keep a backup of your website, these can be accessed through your hosting account such as cpanel, choose from a reliable hosting mentioned above. One more thing, don’t download themes and plugins that are billed – these may have backdoors and spam links, get your sites banned in the process.
Hello
Thanks for the tipps. We use in one of our site the Wordfence Security and we are very happy with it. I think we should do it in all of our websites.
Hmm… #5 says to keep wordpress up to date and then some of the plugins suggested don’t allow you to use the latest version according to this article anyway.
and if you get it all right you better be on the right hosting….
Great summary, Tom. Since I recently moved hosts for some of my and my clients’ sites to Cloudways, I’ve been able to detect bot traffic that slows down my sites, that I couldn’t see before. In trying to find a good way to secure the login screen from brute force attacks, but also to hide it, so that the attacks don’t happen in the first place, I’ve found a good combination for two plugins that do the trick nicely. Login Lockdown tracks IPs to limit login attempts from bots, and WPS Hide Login lets me change the login URL and hides wp-admin. Unfortunately, I also found one plugin conflict. WPS Hide Login does dot play well with Wordfence. I hope this might be helpful to others – I was able to reduce server load a lot, and speed up my sites with this security combination.
While in part i agree with this post it looks more like an advertising or at least an overkill in security. Majority of plugins are bad as all of them heavily rely on WP. Best is to try to prevent bad stuff before it even reach WP.
Strong usernames and passwords is good start, captcha can help but mainly for comments but for login i would use htaccess to prevent even loading that page for unauthorized people and bots.
In case you are on VPS then fail2ban can be of even greater help. With the rest, excluding plugins, i agree.
The only thing you forgot to mention is exploit of xmlrpc.php file what is still active. I posted few times on WP.org but until today i never got any reply. The problem is that bots become smarter and instead of hitting the login page with bruteforce attacks they shifted to xmlrpc.php file. Whatever you do with your login page, e.g. captcha, htaccess, move to another folder, etc, means nothing if you didnt block or limit access to xmlrpc.php file.
Best security option which will stop all those hacker attacks: IP Block your wp-admin, wp-login pages
Great post, very informative! The explanations are really clear, thanks a lot!
Good tips! If i remember well there was a plugin that allow change login url. I found it very useful for security.
Thanks for content 🙂
Dear Sir very new to WP about nine months at 50 years old, so very steep learning curve. My idea of IT was connecting a HDMI cable! Running WP + Headway Themes. Was running another Firewall plugin but it crashed my two sites. So I have recently have given iThemes Security ago. Avoided it because I thought it conflicted with WordPress, but all good so far. I have listed my security plugins below. Would you be so kind to tell me if I should get rid of any, or if they are OK? Cheers and hope you will answer my Q’s?
..
a) iThemes Security.
..
b) Wordfence Security.
..
c) Sucuri Security.
..
d) Block Bad Queries (BBQ).
..
e) UpdraftPlus – Backup/Restore (Happy with it but thinking of Vaultpress?)
..
f) Customizer Remove All Parts(Completely removes the WordPress Customizer from loading in your install.)
..
g) Login LockDown(Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range.)
..
h) Login Security Solution(Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions.)